[SECURITY] Show only explicitly configured page tree information (668fc554) · Commits · TYPO3 / TYPO3.CMS

Commit 668fc554 authored 5 months ago by

Oliver Hader Committed by Oliver Hader 5 months ago

[SECURITY] Show only explicitly configured page tree information

Backend users were able see page tree items without having access:
- in case no DB mounts were configured for a particular user
  and page permissions configured to allow "everybody"
- in case DB mounts were pointing to pages, but actually not having
  any permission configured for these pages (user/group/everybody)

It was not possible to manipulate any of the affected pages.

Resolves: #104397
Releases: main, 13.3, 12.4, 11.5
Change-Id: I52079c8cef3d78946083403adb23a3e1a706c652
Security-Bulletin: TYPO3-CORE-SA-2024-012
Security-References: CVE-2024-47780
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/86497


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

parent daad8944

No related merge requests found

Hide whitespace changes

Inline Side-by-side

Showing with 70 additions and 19 deletions

Please register or to comment